[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pf address pools

So, do you think it might be better to use ipfilter than pf on OpenBSD in
that case ?
And the next question is, is it useful to have a wide spread (more than on
IP subnet) servers
to do load-balancing on ?
After all, that is a feature, the BigIP supports and I know that atleast
www.heisse.de is using this,
to implement complete redundancy by location seperated servers.
But for most users, that should be enough.
@Daniel Hartmeyer : is auto-detection of down hosts implemented in the
load-balancing code
in pf ?
By the way : my company is nearly 100% convinced to kick our Nokia /
CheckPoint and to take a
OpenBSD/pf box to replace, due to several problems with our ISP and their
understanding of
"Management" and "Support".
----- Original Message -----
From: "Darren Reed" <[email protected]>
To: "Jedi/Sector One" <[email protected]>
Cc: <[email protected]>
Sent: Friday, November 29, 2002 9:53 AM
Subject: Re: pf address pools
> In some mail from Jedi/Sector One, sie said:
> >
> > On Thu, Nov 28, 2002 at 11:59:37PM +0000, Ryan McBride wrote:
> > > rdr on $ext_if from any to $public_ip port 80 -> \
> > > source-hash
> >
> >   As a side note, source-hash (a feature called 'sticky balancing' on
> > hardware load balancers) is very useful for web servers with PHP
> >
> >  - by default, PHP save sessions in local files.
> >  - to speed up things, it's also possible to use shared memory.
> >  - poorly written PHP scripts (those that customers like to install)
like to
> > create temporary files in /tmp.
> >
> >   Without sticky balancing, a typical syndrom is that users have to
> > re-authenticate several times while browsing a web site.
> Well I don't think the above is a good implementation of sticky
> load balancing because it confines your destination IP addresses
> to be a single subnet mask range.
> I did sticky redirection for IPFilter last month, I think, and that
> implementation does not have this problem.  More importantly, the
> stickiness can be mixed with any other redirection options.
> If routers use the above for stickiness then said routers suck, IMHO.
> Darren